CORS Policy has been blocked my subdomain

99封情书 提交于 2021-02-17 05:37:08

问题


I have a same domain, one of them is domain without prefix www. For example,

  1. https://www.example.com
  2. https://example.com

First domain works fine because it is default domain. But second one has gives error when I do CRUD or accessing any api service.

Access to XMLHttpRequest at 'https://www.example.com/hubCon/negotiate' from origin 'https://example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

I tried the code in the article published by Microsoft, but it doesn't works.

I am using .Net Core 2.2 version. This is my Startup.cs

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddCors(options =>
        {
            options.AddPolicy(MyAllowSpecificOrigins,
            builder =>
            {
                builder.WithOrigins("https://example.com")
                .AllowAnyMethod()
                .AllowAnyHeader()
                .AllowAnyOrigin()
                .AllowCredentials();
            });
        });

        services.AddMvc().AddJsonOptions(options =>
        {
            options.SerializerSettings.ReferenceLoopHandling = ReferenceLoopHandling.Ignore;
        }).SetCompatibilityVersion(CompatibilityVersion.Version_2_2);


        services.AddSignalR();
    }
    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Error");
            app.UseHsts();
        }

        app.UseCors(MyAllowSpecificOrigins);
        app.UseForwardedHeaders(new ForwardedHeadersOptions
        {
            ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
        });

        app.UseHttpsRedirection();
        app.UseStatusCodePages();
        app.UseStaticFiles();
        app.UseAuthentication();


        app.UseSignalR(routes =>
        {
            routes.MapHub<HubSignal>("/hubCon");
        });

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}"
                );
        });
    }

So, I couldn't understand why the project gives error.

Thanks for your answers.


回答1:


You can't use AllowAnyOrigin with AllowCredentials. Below is an example that allows wildcard domains with CORS.

This code goes in ConfigureServices:

services.AddCors(options =>
        {
            options.AddPolicy("_AllowOrigin",
                builder => builder
                    .SetIsOriginAllowedToAllowWildcardSubdomains()
                    .WithOrigins("https://localhost:44385", "https://*.azurewebsites.net", "http://*.azurewebsites.net")
                    .AllowAnyHeader()
                    .AllowAnyMethod()
                    .AllowCredentials()
                );
        });

Don't forget to decorate your action in your controller:

    [EnableCors("_AllowOrigin")]



回答2:


This happens because you have specified both:

  • AllowAnyOrigin()
  • AllowCredentials();

This configuration is not supported. See the doc:

Specifying AllowAnyOrigin and AllowCredentials is an insecure configuration and can result in cross-site request forgery. The CORS service returns an invalid CORS response when an app is configured with both methods.

You should remove the call to AllowAnyOrigin method



来源:https://stackoverflow.com/questions/57466671/cors-policy-has-been-blocked-my-subdomain

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!